After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 547919 - read 1 byte after allocated memory for ogg_packet
read 1 byte after allocated memory for ogg_packet
Status: RESOLVED NOTGNOME
Product: GStreamer
Classification: Platform
Component: gst-plugins-base
0.10.18
Other All
: Normal minor
: git master
Assigned To: GStreamer Maintainers
GStreamer Maintainers
Depends on:
Blocks:
 
 
Reported: 2008-08-15 15:15 UTC by Petre Mierlutiu
Modified: 2008-08-19 18:34 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Petre Mierlutiu 2008-08-15 15:15:17 UTC 
Hi,

I encountered the following problem while debugging with valgrind a small application. The same shows up when using totem-gstreamer and many ogg files. It seems that theora_read tries to read one byte past de ogg packet (see valgrind output below). My arch is 64bit, os is ubuntu hardy. Stream seems to play allright otherwise.

==21621== Invalid read of size 1
==21621==    at 0xB097B24: oggpackB_read (bitwise.c:360)
==21621==    by 0xB8D73B8: theora_read (decode.c:67)
==21621==    by 0xB8D5531: th_decode_headerin (decinfo.c:132)
==21621==    by 0xB8D4655: theora_decode_header (decapiwrapper.c:147)
==21621==    by 0xB6C9C8D: theora_dec_decode_buffer (theoradec.c:890)
==21621==    by 0xB6CA7B2: theora_dec_chain (theoradec.c:1437)
==21621==    by 0x51357E8: gst_pad_chain_unchecked (gstpad.c:3523)
==21621==    by 0xAA68500: gst_ogg_pad_stream_out (gstoggdemux.c:822)
==21621==    by 0xAA69870: gst_ogg_pad_submit_page (gstoggdemux.c:1162)
==21621==    by 0xAA69E65: gst_ogg_demux_read_chain (gstoggdemux.c:2405)
==21621==    by 0xAA6B407: gst_ogg_demux_loop (gstoggdemux.c:2665)
==21621==    by 0x514FB28: gst_task_func (gsttask.c:192)
==21621==  Address 0xe837b60 is 0 bytes after a block of size 80 alloc'd
==21621==    at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==21621==    by 0x4E65EBB: g_malloc (in /usr/lib/libglib-2.0.so.0.1600.4)
==21621==    by 0x511386E: gst_buffer_new_and_alloc (gstbuffer.c:328)
==21621==    by 0xAA684B2: gst_ogg_pad_stream_out (gstoggdemux.c:816)
==21621==    by 0xAA69870: gst_ogg_pad_submit_page (gstoggdemux.c:1162)
==21621==    by 0xAA69E65: gst_ogg_demux_read_chain (gstoggdemux.c:2405)
==21621==    by 0xAA6B407: gst_ogg_demux_loop (gstoggdemux.c:2665)
==21621==    by 0x514FB28: gst_task_func (gsttask.c:192)
==21621==    by 0x4E85E86: (within /usr/lib/libglib-2.0.so.0.1600.4)
==21621==    by 0x4E84283: (within /usr/lib/libglib-2.0.so.0.1600.4)
==21621==    by 0x634F3F6: start_thread (pthread_create.c:297)
==21621==    by 0x6A68B2C: clone (in /usr/lib/debug/libc-2.7.so)
Comment 1 Wim Taymans 2008-08-19 18:06:45 UTC 
seems to be a problem in libtheora header decoding in:

static int oc_comment_unpack(oggpack_buffer *_opb,th_comment *_tc){
 ...

 return theora_read(_opb,0,&len)<0?TH_EBADHEADER:0;
}

It reads 0 bits off the end, which results in oggpackB_read() reading 1 byte too much for no reason I can see.
Comment 2 Michael Smith 2008-08-19 18:34:29 UTC 
I guess this was fixed upstream (in libtheora) with this, so closing (upstream bug, so NOTGNOME):

r14546 | tterribe | 2008-02-28 17:14:05 -0800 (Thu, 28 Feb 2008) | 2 lines

Fix possible read past the end of the buffer when reading 0 bits.